Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

*Free Whitepaper: ArcSight Perspectives on Risk* Cyber attacks. Incident management. Legal issues. Security trends. The subjects are diverse, but the one powerful message is that security is the most important issue your company faces. Learn to make better decisions about risk management with this free collection of articles. Brought to you by ArcSight, the leader in compliance and security management.http://www.sans.org/info/9391

SANS TRAINING UPDATE: In the next 120 days SANS training will be available in more than 30 cities in five countries with the biggest programs in Washington DC at the end of July and Las Vegas the end of September. Complete schedule at:http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS @HOMEhttp://www.sans.org/athome/ (2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/

Stored Communications Act Violates Fourth Amendment (June 19, 2007)

A US federal appeals court upheld a lower court ruling that said law enforcement agents need warrants to seize web-based email. The Sixth Circuit Court of Appeals said webmail users have a "reasonable expectation of privacy" regarding the content of messages stored on a remote host. The original 2006 ruling, unsuccessfully appealed by the US government, said the Stored Communications Act (SCA) violates the Fourth Amendment. The SCA had been used for 20 years to access stored email without a warrant. -http://www.theregister.co.uk/2007/06/19/webmail_wiretaps_appeal/print.html-http://www.heise-security.co.uk/news/91363

Blackberry Ban for French Government Officials (June 19 & 20, 2007)

Citing data security concerns, the French government has renewed its call for officials and their advisors to stop using Blackberries. Alain Juillet, senior economic intelligence advisor to the prime minister, says data transmitted to and from the devices could be intercepted. Blackberry developer Research in Motion (RIM) disagrees, pointing to their use of the 256-bit Advanced Encryption Standard (AES) to protect data transmitted across their networks. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025310&source=rss_topic17-http://www.ft.com/cms/s/dde45086-1e97-11dc-bc22-000b5df10621.html[Editor's Note (Schultz): It sounds as if there is little if any factual basis behind the French government's decision. At the same time, however, even if data interception is unlikely, there are plenty of other security-related vulnerabilities in BlackBerries that if unpatched can cause a wide variety of undesirable outcomes. ]************************* Sponsored Links: ****************************

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING

Austrian domain name registrar Nic.at has been placed on Spamhaus's blocklist because it allegedly supplied service to known phishing domains. The domains reportedly belong to a Russian phishing group that had used .hk (Hong Kong) domains until that registrar began cracking down on shady practices. The Austrian registry has reportedly been less than cooperative, indicating concerns should be addressed to the domain owners and that they need proof to support claims that the domains in question had been registered in names of non-existent people and paid for with stolen credit card information. The listing of Nic.at is merely symbolic, however; no email is blocked. The purpose of the listing is to draw attention to the situation. -http://www.theregister.co.uk/2007/06/21/austrian_registrar_phishing_row/print.html-http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55483[Update from Bill Stearns at the Internet Storm Center): Update, 7/21: Nic.at has started to suspend phishing domains: -http://www.spamhaus.org/organization/statement.lasso?ref=7]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Patches IPv6, Apple TV Flaws (June 21, 2007)

Apple Computer has released an update for Mac OS X. Version 10.4.10 addresses a flaw in the IPv6 protocol's handling of type 0 routing headers. The flaw could be exploited to reduce network bandwidth. The flaw affects Mac OS X versions 10.4.x, but not prior versions. Apple also released an update for Apple TV. Version 1.1 has a buffer overflow flaw that could be exploited to cause denial-of-service conditions or allow arbitrary code execution. [Internet Storm Center: -http://isc.sans.org/diary.html?storyid=3006]

MPack Detected on More Than 10,000 Websites (June 20, 2007)

The MPack kit has been detected on at least 10,000 websites worldwide. MPack attempts to install keystroke logging malware on site visitors' computers. MPack is sold by Russian hackers for US $1,000 and comes with one year of technical support. The websites infected with MPack are often legitimate ones. This most recent infestation is believed to have come when attackers managed to infiltrate computers at a large Italian website hosting company. The malware detects the browser being used and hones its attack accordingly. [Internet Storm center: -http://isc.sans.org/diary.html?storyid=2991-http://isc.sans.org/diary.html?storyid=3015]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Further investigation into the stolen backup tape containing personally identifiable information of tens if not hundreds of thousands of Ohioans has revealed that interns had been bringing such tapes home on a regular basis. According to established procedures, someone from the office would bring home Ohio Administrative Knowledge System (OAKS) backup tapes on a daily basis. (OAKS is Ohio's payroll and accounting system.) That policy was in place because of the high cost of having the tapes stored elsewhere. The data on the tape stolen from an intern's car on June 10 were not encrypted. Ohio Governor Ted Strickland has directed that the data be encrypted from now on. The backup tape storage policy has been changed so that the tape is now sent to another state facility. -http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/BYEDATA.ART_ART_06-19-07_A1_N9728JD.html[Editor's Note (Schultz): A similar incident involving an organization that had a policy of having employees bring backup tapes home with them occurred just several years ago. It is well time that organizations start learning from the past security-related mistakes of others. ]

Court Says No To Voting Machine Source Code Review (June 19, 2007)

A candidate in a disputed Florida US congressional seat election has lost a bid to have the source code for the touch screen machines used in that election examined. Christine Jennings, who lost the election to Vern Buchanan, wanted the code checked to see if it could be the cause of apparent voting irregularities. Jennings maintains approximately 18,000 votes were not counted in the election; she lost the election by fewer than 400 votes. Jennings may have further recourse, however, as the alleged undervote is being investigated by both a US House Committee on Administration appointed task force and the Government Accountability Office (GAO). Recently enacted legislation in Florida has banned the use of touchscreen voting systems in the state. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025252&source=rss_topic17=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/